COMODO Internet Security 5.0.158836.1079 BETA Bug Reports

Please post all bug reports & BSOD’s here and make sure to include:

  1. Your Operating System (32 or 64 bit) and Service Pack revision
  2. Other Security and Utility Software Installed
  3. Step by step description to reproduce the issue
  4. How you tried to resolve the problem
  5. Upload Memory Dumps on crash if you encounter any
  6. Attach screenshots to your posts to clarify the issue further
  7. Any other information you think that might be useful
  8. The CIS Security profile your using, and if you imported a previous version of the config

It’s vital to provide all this information, so the developers can quickly identify and fix bugs faster.

This format will be strictly moderated. If your messages do not convey this format, they are not going to be taken into account.

It’s very important to know what security profile your using and if you imported a previous config, and if you have changed settings from default, e.g. enabled “block all unknown requests if the application is closed” etc.

For those who observe freeze issues while doing a full scan:

Here is what you need to do in order o identify the problematic file while scanning:

1 - Disable Defense+
2 - Download Process Explorer from Process Explorer - Sysinternals | Microsoft Learn
3 - Run Process Explorer
4 - In Process Explorer, select View->Lower Pane View->Handles
5 - In Process Explorer Process window, click on cmdagent.exe
At this stage, in the lower pane, you should be seeing handles opened by cmdagent.exe. You are particularly interested in “Type File”
6 - Open CIS and Run a Scan → My Computer.

Wait until the scan hangs. When the scan hangs, you must go to Process Explorer and check the Lower Pane for open “File Handles”. One of those handles are causing this issue. Probably an archive file. Please indentify that file and let us know.

Well I have the first bug for the new version.

  1. Your Operating System (32 or 64 bit) and Service Pack revision
    Windows 7 32 bit

  2. Other Security and Utility Software Installed
    none testing in VM machine.

  3. Step by step description to reproduce the issue
    Follow the steps listed here, FullSubject.com is for sale | HugeDomains the AV stops this attack but disabling the av and leaving everything else in tact, CIS fails to stop this attack, it is the .lnk extension POC exploit.

  4. How you tried to resolve the problem
    nothing.

  5. Upload Memory Dumps on crash if you encounter any
    none

  6. Attach screenshots to your posts to clarify the issue further
    not needed.

  7. Any other information you think that might be useful
    just follow the directions in that post and disable to AV, you will see it gets bypassed at the moment.

  8. The CIS Security profile your using, and if you imported a previous version of the config
    stock configuration.

There is an update from Microsoft, that fixes this issue.=)

[attachment deleted by admin]

from what I know it only fixes half the issue, it fixes that browse to it issue but not the double click issue. I will test it again on my own host pc that has all of the updates from MS to see if it effects it then.

OS: Windows 7 X86
Other security software installed: Avira AntiVir Premium

Comodo sandboxed several programs but the counter on the main window and the “Active process list (Sandboxed only)” still shows 1, even if there were more.

See screenshots 1 and 2: Comodo shows “SoundMax” in the sandboxed programs list, while the warning shows “Format Factory” also.
This happend for 3, 4 or more programs also.

Main window and “Sandboxed processes list” still shows only one process.

P.S.: Adding “Analog Devices Inc.” to Trusted software list is also a good option.

[attachment deleted by admin]

that emans thosde processes exited and do NOT run anymore.

my previous statement still stands I have tested the exploit on my host machine and it’s still there. All the windows update did is stop the exploit from running by just going to the folder, but did did not stop the exploit from running by double clicking it, CIS should stop that, and as of right now in my testing it does not. Hopefully this can be fixed soon.

Have you made sure rundll32.exe is executed? It is exploiting a bug in explorer.exe… I dont see rundll32.exe being executed at all.

I’m not sure how it is doing it, but if you read that entire threat I posted, you can see how other security solutions respond to the exploit. I’m sure it is finding an exploit in explorer.exe but CIS should protect from exploits like that, don’t you think? From some new I have read online, some major virus builders are now starting to use the .link exploit. I think one of them are using the virut variant.

The exploit is a windows XP bug. It is NOT a buffer overflow. It is NOT related to commandline parsing neither.
I am afraid It is not in the scope of this beta testing. For the corporate environment, application whitelisting is the only reliable way to proactively prevent this. But that is not applicable for the desktop users. Btw, CIS 3.x or CIS 4(If the DLL is from a removable device) would alert for runDLL version of this too.

ok, but I have the same bypass in windows 7, which I am running. Well I hope you guys take a look at it and maybe sometime address it, or maybe MS will do it.

Yep not just XP but others too. We analyzed it. MS has to issue a fix for this asap. The proactive mesaures are going to be too noisy for the end user.

okay, one good news is that now when you right click an executable (tried with Firefox) it sandboxes properly, ie all my profile features are running, bad news is that it doesn’t appear in the list of active processes as sandboxed, but just as running normally (although it really is sandboxed); Now if you sandbox Firefox permanently, or temporarily but still from CIS UI, Firefox launches with very limited features, most options are reset to default + no extension running and again, it doesn’t appear as sandboxed in the active process list.

Once last thing, already mentioned with the last build, the context menu option to sandbox only appears with executables directly, not with their shortcuts.

  1. Your Operating System (32 or 64 bit) and Service Pack revision >>> W7/64

  2. Other Security and Utility Software Installed >>> Avast5 (so no CAV)

  3. Step by step description to reproduce the issue >>>
    right click an executable and asked for it to be sandboxed
    or set it to be always sandboxed from CIS UI
    or once from CIS UI

  4. How you tried to resolve the problem >>> na

  5. Upload Memory Dumps on crash if you encounter any >>> na

  6. Attach screenshots to your posts to clarify the issue further >>> na

  7. Any other information you think that might be useful >>> no

  8. The CIS Security profile your using, and if you imported a previous version of the config >>> proactive security profile. Also, I uninstalled CIS 4 completely and rebooted before installing CIS5 beta. And I don’t “block requests for apps when closed”.

Yes I have seen this in Win7 too. Its a bug in active process list. They are actually sandboxed.

  1. Your Operating System (32 or 64 bit) and Service Pack revision >>> W7/64

  2. Other Security and Utility Software Installed >>> Avast5 (so no CAV)

  3. Step by step description to reproduce the issue >>>
    launch Google Chrome with firewall in safe mode and “create rules for safe applications” unchecked

no rule was created at all, I would have expected a prompt ??? an allow all rule got created automatically as soon as I checked create rule for safe app, which I had to edit and set as “web browser”. next step is leaving “safe mode” and switch back to “custom policy”.

  1. How you tried to resolve the problem >>> switch to “custom policy” mode
  2. Upload Memory Dumps on crash if you encounter any >>> na
  3. Attach screenshots to your posts to clarify the issue further >>> na
  4. Any other information you think that might be useful >>> no
  5. The CIS Security profile your using, and if you imported a previous version of the config >>> proactive security profile. Also, I uninstalled CIS 4 completely and rebooted before installing CIS5 beta. And I don’t “block requests for apps when closed”.

edit: on a side note, in the same conditions I had a regular alert for Firefox, although Mozilla is in the safe list too.

  1. Your Operating System (32 or 64 bit) and Service Pack revision - WinXP Pro SP3 32 bit
  2. Other Security and Utility Software Installed - SAS and MBAM on demand
  3. Step by step description to reproduce the issue - Just a GUI glitch
  4. How you tried to resolve the problem - n/a
  5. Upload Memory Dumps on crash if you encounter any - n/a
  6. Attach screenshots to your posts to clarify the issue further - n/a
  7. Any other information you think that might be useful - n/a
  8. The CIS Security profile your using, and if you imported a previous version of the config - Clean Install - Proactive Security - Imported config from Beta 2

Same as Beta 1 and 2:

I notice that you can’t maximize or minimize the window for the D+ Computer Security Policy. Only the close X is visible. The Firewall Network Security Policy window is OK, it has all three.

https://forums.comodo.com/beta-corner-cis/comodo-internet-security-501569851061-beta-bug-reports-t59791.0.html;msg420318#msg420318

I think that’s exactly how it’s supposed to work and is not a bug at all.

I wouldn’t be surprised and I was wondering. I just don’t agree with this behavior. And again, there’s been a created rule for Firefox in the same conditions, so that doesn’t make sense. Both Mozilla and Google are in the safe vendor list.

  1. Your Operating System (32 or 64 bit) and Service Pack revision >>> W7/64

  2. Other Security and Utility Software Installed >>> Avast5 (so no CAV)

  3. Step by step description to reproduce the issue >>>
    reboot or just log off and back in
    GfxUI.exe (Intel graphics panel) keeps appearing in a sandbox prompt, although I sent it to the trusted file list several times now, and of course also clicked on “don’t isolate again” on the dialog prompt. GfxUI.exe doesn’t appear at all in the trusted file list. It’s not sandboxed either (checked the folder).

Also a few other processes (OpenOffice starter) kept being sandboxed after two reboots although sent to the trusted file list. It finally worked as expected after a third reboot.

  1. How you tried to resolve the problem >>> na, I don’t want to hide the alerts.
  2. Upload Memory Dumps on crash if you encounter any >>>
  3. Attach screenshots to your posts to clarify the issue further >>>
  4. Any other information you think that might be useful >>>
  5. The CIS Security profile your using, and if you imported a previous version of the config >>> proactive security profile. Also, I uninstalled CIS 4 completely and rebooted before installing CIS5 beta. And I don’t “block requests for apps when closed”.

adding that fortunately I don’t get that horrible pop up (huge white log) anymore about GfxUI. So thanks for fixing that.

[attachment deleted by admin]

Which Firefox are you using?
The Minefield or Beta will generate a pop up and rule creation.
The general release doesn’t make a firewall rule in safe mode unless you have checked to “create rules for safe apps.”
Are you sure about what settings you were in when the rule was made?

Disagreeing with a behavior does not make it a Bug. Maybe a Wish.